[dns-operations] need ideas for selective proxying to defeat the economic poison pill built into DOH

m3047 m3047 at m3047.net
Thu May 16 19:47:14 UTC 2019

In my opinion practical cybersecurity has been stagnant for a while (I can 
speculate why as well as anyone). Seems to me the obvious response is that 
netflow analysis makes it to the firewall:

Don't allow connections/traffic from an endpoint to any address unless a 
corresponding DNS response has been sent to that endpoint containing the 

I can do this today if I want, from my dirt road off the internet. I can 
get the DNS information with DNSTap and update IPTables accordingly. Any 
gaps in the technology or scalability can be iterated. Seems like a good 
complement to technologies such as fail2ban. Doesn't seem particularly 
earthshaking. I wouldn't be surprised to learn there's a project out there 
offering this; if there's not, let me know if you start one.


Fred Morris

More information about the dns-operations mailing list